GenAI phishing is now a thing. You might want to deploy it for your clients or your company but you might also want some scenario suggestions to get your creative juices flowing.
This article is for you, we compiled and shared a few scenarios ideas that we have implemented in our phishing simulation platform.
I hope this inspires you and gives you new ideas to improve the quality of your phishing simulations.
Social Engineering Principles for Phishing Scenarios
Before jumping to scenario ideas — see next section if you can’t wait ;) — let’s just take a very quick look at common manipulation tactics that we can use in social engineering to increase the effectiveness of our scenarios.
There are many ways to influence people into doing dangerous actions that could yield initial access and account compromission.
The goal here is to bypass the rational brain and make the target adopt an emotional reaction, bypassing all awareness training that could possibly make our attempt fail.
If reading this you feel like this is not fair for employees, without diving too much into awareness training methodology, but when it comes to simulating threats, we consider that you need the most realistic ones if you want to correctly evaluate and train.
Attackers won’t be nice and “pedagogic”. This is what they do.
The most common influence levers are usually:
- Authority: sending the email from someone in a position of authority
- Pressure: usually fear or urgency
- Familiarity, intimacy will make the target lower its defense
- Curiosity is a powerful tool too and can make users click on stuff they shouldn’t, like a document shared “by mistake”
- Financial gain is a general trick that works pretty well. Gifts, free access or coupons are fairly successful at compromising targets
Like a recipe, we want to use these ingredients in various proportions for our scenarios. They are non-exclusive and can be combined together when it fits the pretext.
Using generative AI to generate generic scenarios allows us to send unique phishing emails to a large number of employees.
This has many benefits, from stealth, to higher realism, to better training.
Here are a few examples of scenarios that can be used indiscriminately to large employee groups.
Internal job offers access
Opportunity for career advancement is usually a topic of great interest for employees.
Usually these job offers will be shared through an internal platform and it’s a great opportunity to orchestrate a credential harvesting attack.
Document sharing: internal letter for all employees
The concept is very simple: there’s a communication from the direction to all employees. It can be scheduled at specific times of the year or you can just pretend a special, out-of-the-blue announcement.
Document sharing is great and can be spinned into either credential harvesting scenarios or attachment attacks.
These can leverage authority (depending on the sender) and curiosity (depending on the content) and some level of urgency.
Document sharing: evaluation report
Much like the previous one, this scenario can allow many variations.
The use of merge tags will allow you to make it perceived as a more private email. Timing can be an issue but the way you present the report can justify some kind of exceptional evaluation that can be conducted at any time during the year.
IT Policy Update
This one embeds authority, as everything related to rules of procedure, compliance and admin. This comes from the top and should be signed or at least read by the recipient.
To reduce friction, we like to use this one with an attachment rather than a credential harvesting link as the email might be postponed if it takes too many steps for the target to read and access.
Who doesn’t like new shiny gear?
Any email coming from the IT department asking to opt-in to get fancy new computers, mobile phones or even cars — this last one might not be coming from the IT department — will get some attention.
We prefer this one for credential harvesting as these operations usually go through an internal platform, but we could see how a PDF or DOC submission would also work.
It wouldn’t be fun — and lazy — to stick with generic scenarios.
With a powerful tool like generative AI, we can push the envelope and go for targeted scenarios.
Here are a few ideas, based on company information and job classifications as it is a common information, accessible with very little effort that is commonly used in phishing operations.
HR: new applicant
Some profiles are hard to come by and if a company is recruiting, sending a resume through email is usually one nice way to get in.
Even if there is an Applicant Tracking System (ATS) that should reduce direct emails with attachment, this pretext will usually work with direct emails and an attachment for the resume.
Sales: quote request
What salesperson wouldn’t be interested in new business?
This one works great with attachments. A broken PDF file containing the alleged specs for a project the prospective customer is interested in will get opened.
C-level: the disturbing journalist request
This one is a favorite of mine when it comes to C-levels.
We did it (manually) some time ago to close a prospective customer and show him how he — despite being convinced of the contrary — could be phished.
Imagine this: you receive a request from a journalist writing a heat piece on your company and sending you the draft of the article, requesting for comments.
This is a pretty cool scenario that genAI can spin into different versions.
Here you have it.
A collection of scenarios ideas you can use to enrich your phishing simulation library.
If you want a ready made version of these, they are all (and more) in our phishing simulation platform. Request a demo access here if you want a tour.